Aadhaar OTP Scam — How Callers Trick You Into Sharing the UIDAI OTP
Aadhaar OTP scams explained: how callers impersonate UIDAI, banks or the police to trick you into sharing the OTP that unlocks eKYC, bank accounts and SIM swaps.
How the scam actually works
- The scammer already knows your Aadhaar number (bought from a leaked database or a corrupt insider).
- They call posing as UIDAI, TRAI, police cyber-cell, or your bank — often with a spoofed caller ID.
- They trigger a real Aadhaar OTP from UIDAI's system (which is why the SMS looks legitimate).
- The moment you read out the OTP, they complete an eKYC — opening a wallet, SIM card, or loan account in your name.
Red flags — what to look for
- Any incoming call asking you to read out an OTP — UIDAI, banks and the police never ask for OTP by phone.
- Threat language: 'your Aadhaar will be blocked', 'FIR will be filed', 'CBI is investigating'.
- The caller knows your Aadhaar number or last-4 digits — that's harvested from leaks, not proof of legitimacy.
- Pressure to stay on the call while you check your inbox — real institutions let you call back on official numbers.
How to report in India
- Hang up immediately. Do not engage — every extra minute helps them social-engineer more info.
- Lock your Aadhaar biometric at https://resident.uidai.gov.in — this prevents new eKYC even if OTP is leaked later.
- Call 1930 and file on cybercrime.gov.in with the caller's number and any SMS you received.
- Check your bank statements and CIBIL report for the next 90 days — loan-account fraud shows up weeks later.
How to protect yourself going forward
Prevention is boring but works. Enable UPI transaction alerts on SMS + email (both, not just one). Set a daily UPI cap of ₹10,000 unless you actively need more — you can raise it back in 30 seconds when required. Add a separate low-balance current account for online payments and keep the salary account off UPI entirely. Lock your Aadhaar biometric at resident.uidai.gov.in — that alone stops most eKYC-based downstream fraud even if your OTP is leaked. Finally, tell one family member every time you get a suspicious message. Fraud thrives on isolation.
What actually helps recovery
Time. The single strongest recovery factor is reporting to 1930 within the first hour. RBI's Turnaround-Time framework requires banks to freeze beneficiary accounts within specific windows and the 1930 number is plugged directly into that flow. After 24 hours, freeze probability drops sharply. After 72 hours, recovery is rare. Screenshot everything: the SMS, the caller number, the UPI ID, and the debit alerts. All of these become evidence on cybercrime.gov.in.
Frequently asked questions
Can someone misuse my Aadhaar with just the number?
The number alone isn't enough for most eKYC — they also need the OTP (Aadhaar-linked mobile) or your biometric. That's why the OTP is what scammers actually want.
How do I lock my Aadhaar biometric?
Go to https://resident.uidai.gov.in, log in with Aadhaar + OTP, and choose 'Lock Biometrics'. This blocks all fingerprint/iris eKYC until you unlock it. Highly recommended.
Is masked Aadhaar safer?
Yes. Whenever a service asks for Aadhaar, share the masked version (first 8 digits hidden) from mAadhaar or DigiLocker. It works for most eKYC and reduces database-leak damage.
The caller had my full name and Aadhaar number — is that proof they're real?
No. Full name + Aadhaar is one of the most-leaked combinations on Indian breach dumps. Real UIDAI never proves identity by reciting your data — they let you verify them by calling back on 1947.
What's the official UIDAI helpline?
1947 (toll-free, 24×7). Any 'UIDAI' call from any other number is suspect. Hang up and call 1947 yourself to check.